US12218982B1ActiveUtility

Cloud security control platform that enforces scope-based security controls

61
Assignee: SONRAI SECURITY INCPriority: Dec 1, 2023Filed: Jun 27, 2024Granted: Feb 4, 2025
Est. expiryDec 1, 2043(~17.4 yrs left)· nominal 20-yr term from priority
H04L 63/101H04L 63/20
61
PatentIndex Score
0
Cited by
29
References
13
Claims

Abstract

A cloud security control platform and method enforces security controls across multiple cloud environments, services and disparate teams while providing a frictionless “Permissions on Demand” mechanism for approvals and exceptions. In contrast to the prior art, security is evaluated on a permission by permission basis, with the default being that all permissions are denied and then only given to a particular identity on an as-needed basis. This approach reduces the security risks associated with the vast capabilities available in Public Cloud environments and permits an organization that uses the platform to grant access, approve exceptions and delegate approvals with the appropriate compliance.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method implemented in a security control platform to enforce scope-based security controls, comprising:
 providing a cloud intelligence data model that, for a particular enterprise, associates resources, activities and associated permissions associated with multiple cloud providers and accounts; 
 with respect to a given cloud provider of the multiple cloud providers used by the particular enterprise, identifying a scope, wherein the scope is any point within a delimited path into a particular cloud environment of that given cloud provider, wherein the given cloud provider and at least one other cloud provider of the multiple cloud providers define contents of a respective scope differently from one another; 
 normalize the identified scope for use by the security control platform to optimally apply a security control; 
 based at least in part on the cloud intelligence data model, configuring a security policy for the particular cloud environment of the given cloud provider, the security policy by default denying all permissions with respect to the identified scope; 
 instantiating the security policy in the particular cloud environment of the given cloud provider of the multiple cloud providers used by the particular enterprise; and 
 using the instantiated security policy, and with respect to the identified scope associated with the given cloud provider, implementing permissions-on-demand with respect to one or more identities within the particular cloud environment. 
 
     
     
       2. The method as described in  claim 1  wherein the permissions-on-demand include receiving and automatically applying control exception approvals directly in the particular cloud environment. 
     
     
       3. The method as described in  claim 1  wherein the permissions-on-demand include receiving and routing to external approvers control violations or permission requests. 
     
     
       4. The method as described in  claim 3  wherein an external approver is distinct from an individual that manages the particular cloud environment at the identified scope. 
     
     
       5. The method as described in  claim 1 , wherein the security policy applies one of a set of predefined restrictions, the predefined restrictions being use of a given service at the identified scope, use of a given region for the identified scope, use of one or more permissions on a service at the given scope together with inherited scopes, and creation of resources at the identified scope. 
     
     
       6. The method as described in  claim 5  wherein the security policy is applied via infrastructure-as-code that is specific to the particular cloud environment. 
     
     
       7. The method as described in  claim 1  wherein the scope is an entirety of the particular cloud environment. 
     
     
       8. The method as described in  claim 1  further including enabling a preview mode that enables identification of cloud entities that violate the security policy. 
     
     
       9. The method as described in  claim 1  implemented as-a-service. 
     
     
       10. The method as described in  claim 1  wherein the set of permissions are configurable. 
     
     
       11. An apparatus, comprising:
 at least one hardware processor; and 
 computer memory associated with the hardware processor and holding computer software, the computer software comprising program code configured as a security control platform to be executed by the hardware processor to enforce scope-based security controls, the program code configured to:
 manage a cloud intelligence data model that, for a particular enterprise, associates resources, activities and associated permissions associated with multiple cloud providers and accounts; 
 with respect to a given cloud provider of the multiple cloud providers used by the particular enterprise, identifies a scope, wherein the scope is any point within a delimited path into a particular cloud environment of that given cloud provider, wherein the given cloud provider and at least one other cloud provider of the multiple cloud providers define contents of a respective scope differently from one another; 
 normalize the identified scope for use by the security control platform to optimally apply a security control; 
 based at least in part on the cloud intelligence data model, configures a security policy for the particular cloud environment, the security policy by default denying all permissions with respect to the identified scope; 
 instantiates the security policy in the particular cloud environment of the given cloud provider of the multiple cloud providers used by the particular enterprise; and 
 using the instantiated security policy, and with respect to the identified scope associated with the given cloud provider, implements permissions-on-demand with respect to one or more identities within the particular cloud environment. 
 
 
     
     
       12. A method implemented in a security control platform to enforce scope-based security controls, comprising:
 providing a cloud intelligence data model that, for a particular enterprise, associates resources, activities and associated permissions associated with multiple cloud providers and accounts; 
 providing one or more pre-defined restrictions that are configured to be enforced with respect to a cloud environment; 
 with respect to a given cloud provider of the multiple cloud providers used by the particular enterprise, identifying a scope, wherein the scope identifies a delimited path into a particular cloud environment of that given cloud provider, wherein the scope is normalized and used by the security control platform to optimally apply a requested security control, wherein the given cloud provider and at least one other cloud provider of the multiple cloud providers define contents of a respective scope differently from one another; 
 based at least in part on the cloud intelligence data model, configuring a security policy for the particular cloud environment of the given cloud provider, the security policy configured to apply at least one of the pre-defined restrictions to the identified scope; and 
 instantiating the security policy in the particular cloud environment of the given cloud provider of the multiple cloud providers used by the particular enterprise. 
 
     
     
       13. The method as described in  claim 12  wherein the pre-defined restrictions are one of: Service Block Controls, Region Block Controls, Sensitive Permission Controls, and Resource Configuration/Creation Controls.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.